[mercuryofmine]

I had a complete HDD crash...Recently bought and installd the new western digital SATA hard drive @5200 rpm.
I installed a clean copy of VISTA Home Premium as my OS but suddenly after that started getting the BSOD's.
Updated all the required drivers and other updates installed, but then again suddenly the BSOD!!! Finally i read topics here, followed a couple of steps suggested by usasma. Since the Hard Drive is new i dont really think that a memory test/hdd self test would be of much significance. I have also thought of performing the RAM test but havent done that yet. Neither have i done the malware analysis yet.
Its getting difficult to undrstand wots gone wrong with my notebook(HP Pavillion dv2519tu, warranty expired) and im really looking for some help which im sure members here are more that capable of...
I did the dump analysis and thought of posting it here hoping someone might want to have a look at it and come up with an advise...

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\PuNteR\Desktop\Mini050309-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*[url]http://msdl.microsoft.com/download/symbols[/url]
Executable search path is: 
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6000.16830.x86fre.vista_gdr.090302-1506
Machine Name:
Kernel base = 0x81c00000 PsLoadedModuleList = 0x81d11e10
Debug session time: Sun May  3 15:00:04.607 2009 (GMT-7)
System Uptime: 0 days 0:23:14.487
Loading Kernel Symbols
...............................................................
................................................................
.......................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {badbae06, 2, 0, 84eae516}

Unable to load image \SystemRoot\system32\DRIVERS\epfwwfpr.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for epfwwfpr.sys
*** ERROR: Module load completed but symbols could not be loaded for epfwwfpr.sys
Probably caused by : NETIO.SYS ( NETIO!WfpFindCalloutEntry+1f )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: badbae06, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 84eae516, address which referenced memory

Debugging Details:
------------------


OVERLAPPED_MODULE: Address regions for 'epfwwfpr' and 'parport.sys' overlap

READ_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d117e0
 badbae06 

CURRENT_IRQL:  2

FAULTING_IP: 
NETIO!WfpFindCalloutEntry+1f
84eae516 8b780c          mov     edi,dword ptr [eax+0Ch]

CUSTOMER_CRASH_COUNT:  3

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  ekrn.exe

TRAP_FRAME:  a56e9a60 -- (.trap 0xffffffffa56e9a60)
ErrCode = 00000000
eax=badbadfa ebx=836a07a8 ecx=00003800 edx=00000000 esi=a56e9af8 edi=00000000
eip=84eae516 esp=a56e9ad4 ebp=a56e9adc iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00250206
NETIO!WfpFindCalloutEntry+0x1f:
84eae516 8b780c          mov     edi,dword ptr [eax+0Ch] ds:0023:badbae06=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 84eae516 to 81c8fdc4

STACK_TEXT:  
a56e9a60 84eae516 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac
a56e9adc 84eba355 a39cbe40 00000014 0000011a NETIO!WfpFindCalloutEntry+0x1f
a56e9b00 84ebb1fc 000001cf 00000000 00000014 NETIO!WfpFindAndDeRefFlowContext+0x4c
a56e9b30 8b40b04a 000001cf 00000000 0000011a NETIO!FwppStreamInject+0xce
a56e9b60 a23ed15c 8dd42f78 00000000 00000000 fwpkclnt!FwpsStreamInjectAsync0+0x60
WARNING: Stack unwind information not available. Following frames may be wrong.
a56e9ba8 a23ee1cc 8dcfa488 00000005 03b39ea0 epfwwfpr+0x615c
a56e9bd4 a23f731c a23fafe0 000001cf 8dcfa488 epfwwfpr+0x71cc
a56e9bfc a23f747a a39fc278 03b39e88 00000018 epfwwfpr+0x1031c
a56e9c58 81d89b19 a39fc278 00000001 03b39e88 epfwwfpr+0x1047a
a56e9d00 81d8ee7d 8bbee030 00000000 00000000 nt!IopXxxControlFile+0x2cf
a56e9d34 81c8caea 000001f8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
a56e9d34 77360f34 000001f8 00000000 00000000 nt!KiFastCallEntry+0x12a
03b39e04 00000000 00000000 00000000 00000000 0x77360f34


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!WfpFindCalloutEntry+1f
84eae516 8b780c          mov     edi,dword ptr [eax+0Ch]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  NETIO!WfpFindCalloutEntry+1f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  478ad439

FAILURE_BUCKET_ID:  0xD1_NETIO!WfpFindCalloutEntry+1f

BUCKET_ID:  0xD1_NETIO!WfpFindCalloutEntry+1f

Followup: MachineOwner
---------

1: kd> !analyze
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {badbae06, 2, 0, 84eae516}

Probably caused by : NETIO.SYS ( NETIO!WfpFindCalloutEntry+1f )

Followup: MachineOwner
---------

1: kd> .bugcheck
Bugcheck code 000000D1
Arguments badbae06 00000002 00000000 84eae516
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: badbae06, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 84eae516, address which referenced memory

Debugging Details:
------------------


OVERLAPPED_MODULE: Address regions for 'epfwwfpr' and 'parport.sys' overlap

READ_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d117e0
 badbae06 

CURRENT_IRQL:  2

FAULTING_IP: 
NETIO!WfpFindCalloutEntry+1f
84eae516 8b780c          mov     edi,dword ptr [eax+0Ch]

CUSTOMER_CRASH_COUNT:  3

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  ekrn.exe

TRAP_FRAME:  a56e9a60 -- (.trap 0xffffffffa56e9a60)
ErrCode = 00000000
eax=badbadfa ebx=836a07a8 ecx=00003800 edx=00000000 esi=a56e9af8 edi=00000000
eip=84eae516 esp=a56e9ad4 ebp=a56e9adc iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00250206
NETIO!WfpFindCalloutEntry+0x1f:
84eae516 8b780c          mov     edi,dword ptr [eax+0Ch] ds:0023:badbae06=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 84eae516 to 81c8fdc4

STACK_TEXT:  
a56e9a60 84eae516 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac
a56e9adc 84eba355 a39cbe40 00000014 0000011a NETIO!WfpFindCalloutEntry+0x1f
a56e9b00 84ebb1fc 000001cf 00000000 00000014 NETIO!WfpFindAndDeRefFlowContext+0x4c
a56e9b30 8b40b04a 000001cf 00000000 0000011a NETIO!FwppStreamInject+0xce
a56e9b60 a23ed15c 8dd42f78 00000000 00000000 fwpkclnt!FwpsStreamInjectAsync0+0x60
WARNING: Stack unwind information not available. Following frames may be wrong.
a56e9ba8 a23ee1cc 8dcfa488 00000005 03b39ea0 epfwwfpr+0x615c
a56e9bd4 a23f731c a23fafe0 000001cf 8dcfa488 epfwwfpr+0x71cc
a56e9bfc a23f747a a39fc278 03b39e88 00000018 epfwwfpr+0x1031c
a56e9c58 81d89b19 a39fc278 00000001 03b39e88 epfwwfpr+0x1047a
a56e9d00 81d8ee7d 8bbee030 00000000 00000000 nt!IopXxxControlFile+0x2cf
a56e9d34 81c8caea 000001f8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
a56e9d34 77360f34 000001f8 00000000 00000000 nt!KiFastCallEntry+0x12a
03b39e04 00000000 00000000 00000000 00000000 0x77360f34


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!WfpFindCalloutEntry+1f
84eae516 8b780c          mov     edi,dword ptr [eax+0Ch]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  NETIO!WfpFindCalloutEntry+1f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  478ad439

FAILURE_BUCKET_ID:  0xD1_NETIO!WfpFindCalloutEntry+1f

BUCKET_ID:  0xD1_NETIO!WfpFindCalloutEntry+1f

Followup: MachineOwner
---------

Thank uuuu....:normal:

 

[deleted122510]

I'll get TSF's dump analysis genius in here; jcgriff2!

Also, welcome to TSF!

 

[jcgriff2]

Hi -

The bugcheck on your BSOD was 0xd1 - driver accessed paged memory at a time when it should not have (IRQL too high). The probable cause is the ESET Internet Security driver epfwwfpr.sys.

Any Internet security package is a problem with Vista, but the primary reason that you are experiencing BSODs is b/c your system is not updated with Vista SP1.

Any particular reason that SP1 is not installed?

Regards. . .

jcgriff2

.

 

[mercuryofmine]

Thank you for ur time.
I bought and installed a new hard drive, then the os from a pirated media, thinking that once entered the original product key(mentioned on the notebook) i'd be able to verify the originality of my os.
I then, after os installation, startd getting the BSOD's. I thought i needed to update device drivers, did that. Updated everything I could possibly find and hoped that the BSOD problem will resolve. It did not!
I tried to again format and install a clean copy, update important updates and then not allow ne more further updates thinking that it is that might have been creating those driver conflicts.
Neither of dese approaches of mine eventually resolved the issue.
After having a chat with my vendor and microsoft today, im told that to be able to resolve the issue, its important for me to get back my factory settings' OS.
Do you think that that might actually be the snag? or the issue can be fixed by mere analysis of the dump file???
So sp1, as u said, might not have been installed coz i disabled it thinking the updates i'd done are creating the errors!
Thank u:normal:

 

[jcgriff2]

Hi -

Obtaining OEM (vendor) Vista recovery DVDs is absolutely the right way to go here. The pirated copy of Vista even with a genuine product key will never work.

Dump files and system files from the current Vista installation are of no use due to the origin of the Vista copy - it cannot be fixed. You will continue to experience system crashes and BSODs until you re-install Vista using OEM/ full retail Vista DVD.

Regards. . .

jcgriff2

.